The challenges presented by cyber risk have always loomed large for IT and business leaders in financial services. But today they have arguably reached a tipping point. The International Monetary Fund (IMF) devotes a whole chapter to the topic in its latest Global Financial Stability Report. It claims that more than 20,000 attacks on the sector have caused losses exceeding $12bn over the past 20 years.
If that isn’t enough to shake up existing approaches to cyber-risk management in the sector, then new regulations – specifically the EU’s Digital Operational Resilience Act (DORA) – certainly will. And there’s a strong argument for leading any such efforts with a focus on securing banks’ most important assets; their data.
Why the IMF is concerned
The scale of the challenge facing financial services institutions – which range from banks and payment providers to insurers and investment companies – is immediately clear from the report. It argues that “extreme losses” have more than quadrupled since 2017 to $2.5bn. Growing geopolitical tensions and an increased reliance on digital technologies and third-party providers are ramping up risk exposure – as are the uniquely large volumes of highly sensitive data that financial institutions collect, the IMF says.
This doesn’t just put financial services firms themselves at risk. Incidents in the sector could even threaten financial and economic stability if they erode confidence in the financial system, and/or disrupt critical services. The IMF warns of potential market selloffs or runs on banks resulting from serious cyber incidents.
Building resilience
The good news is that this doomsday scenario has not yet become reality. And the IMF would like to keep it that way. That’s why it recommends the following to enhance resilience in the sector:
- Regular assessments of the cybersecurity landscape and identifying potential systemic risks, including from third-party service providers
- Encouraging mature cyber-governance among financial sector firms, including board-level access to cybersecurity expertise
- Improving cyber-hygiene through application of industry best practices
- Prioritizing data reporting and information sharing to enhance collective preparedness
- Developing and testing incident response and recovery processes
Starting with data-centric security
At comforte, we’d argue that data-centric security should be top of the to-do list in terms of cyber-hygiene. Yes, things like employee awareness training, multi-factor authentication and anti-malware are important layers of defense to help mitigate cyber risk. But threat actors have proven themselves capable of bypassing even the most advanced security controls. If they do, financial services organizations need to be confident that any data they access will be rendered useless to their adversaries.
Applying strong encryption or tokenization will ensure this is the case. Technologies like comforte’s Data Security Platform deliver continuous and automated data discovery and classification – so that data can be protected in line with policy, wherever it is located in the enterprise. That means no coverage gaps for threat actors to exploit. It’s the surest way financial services firms can start to insulate themselves from the risks outlined by the IMF. But it can also be a springboard for growth – by enabling expansion into tightly regulated jurisdictions, winning customer and partner trust, and supporting innovative digital initiatives.
With data-centric security, financial services firms can use the wealth of data at their disposal to improve fraud detection, anticipate market trends and drive better strategic decision making – all without compromising the security of the underlying data. It’s time organizations demanded more of themselves, and their suppliers.
